| View previous topic :: View next topic |
| Author |
Message |
c00l.wave
Apprentice
Joined: 24 Aug 2003
Posts: 268
|
 Posted: Sat Jun 21, 2008 10:29 pm Post subject: IPTables sporadic hang or delay, configuration mistakes? |
 |
|
I got 3 remote hosts showing the same behaviour, all using kernels >=2.6.23:
I have a script to maintain firewall rules using IPTables. First it drops old rules, creates all permanent rules and sets default policies. Furthermore I use /etc/init.d/iptables to store and load any rules that have been set on shutdown/reboot. The maintenance script is only run manually if I make any changes.
Sometimes calling the script, as well as restoring the rules on startup, seems to fail. I'm suddenly completely locked out of my server. Sometimes connections get through again after a few seconds up to minutes, most times they won't. I suppose I did something bad in my rules script:
| Code: |
#!/bin/bash
# == FLUSH ==
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
# == INPUT CHAIN ==
# emergency: allow all ports from associated known trusted static ips
/sbin/iptables -A INPUT -p tcp -s trustedhost -j ACCEPT
/sbin/iptables -A INPUT -p tcp -s anotherhost -j ACCEPT
# SMTP
/sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
# ...
# Teamspeak
/sbin/iptables -A INPUT -p udp --dport 8767 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8768 -j ACCEPT
# == OUTPUT CHAIN ==
# DNS
/sbin/iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# ...
# == DROP EXPLICITLY ==
# WARNING! SOMETHING IS WRONG WITH THESE LINES, IPTABLES CRASHES ON EXECUTION!
# splunk is configured to run here - free version is WITHOUT authorization
#/sbin/iptables -A INPUT -p tcp --dport 28000 -s !localhost -j DROP
#/sbin/iptables -A INPUT -p tcp --dport 28089 -s !localhost -j DROP
# == FINISH ==
# allow established connections
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# allow tracked connections to proceed with new connections (FTP for example)
/sbin/iptables -A INPUT -m conntrack --ctstate RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m conntrack --ctstate RELATED -j ACCEPT
# allow ICMP (pings, may be needed for SMTP communication, some other
# servers seem to check us this way and block if they can't)
/sbin/iptables -A INPUT -p icmp -j ACCEPT
# set default policies to drop
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
# DEBUG: set default policies to accept
# /sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
# /sbin/iptables -A OUTPUT -p tcp -j ACCEPT
# always allow localhost
/sbin/iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
/sbin/iptables -A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
I can imagine the following reasons but have no clue what is right:
- Being configured to policy DROP, may the output still drop after a flush so DNS is closed? I add hosts using hostnames first - can there be a delay in lookup although the hostnames are entered in /etc/hosts? Due to IPv6 maybe? (I only entered IPv4 but the host can use both)
- One of the two trusted hosts blocks ICMP and returns a backward DNS lookup whose domain does not match after another forward lookup to the address returned (e.g. SSH complains about that each time I log on from there). Does IPTables do any checks like this?
- Multiple lines for nearly identical settings conflict with each other when using multiple lines (see Teamspeak; I assume that's rather unlikely to happen this way)
- The commented lines for Splunk (labeled "WARNING") have some kind of syntax error. I think I remember they worked from the command line though.
- I create too much rules (I read about limits but they don't seem to be set this low?)
Can anybody enlighten me on what is going wrong? There's no information in my logfiles and since the hosts are remote and no VMs I cannot get any live access to it.
_________________
nohup nice -n -20 cp /dev/urandom /dev/null & |
|
| Back to top |
|
 |
jomen
Guru
Joined: 04 Jan 2006
Posts: 536
Location: Leipzig, Germany
|
| Posted: Tue Jun 24, 2008 9:52 am Post subject: |
|
|
I don't get this too:
you allow INPUT only from two specific hosts
you allow INPUT regardless of IP on a few ports: 25 8767 8768
you allow only OUTPUT on 53
then you allow already ESTABLISHED on INPUT and OUTPUT
and you allow icmp...
Then you DROP everything
After having done that (DROP) you allow local-only connections
You don't allow NEW INPUT anywhere - which is surely needed - and before DROPing.
Almost the same for related. ftp can't even ESTABLISH because you only allow RELATED
You don't ACCEPT OUTPUT - the policy for OUTPUT is DROP - and so is FORWARD
As I see it - this system is closed except for connections from two hosts.
_________________
Cheers |
|
| Back to top |
|
|
c00l.wave
Apprentice
Joined: 24 Aug 2003
Posts: 268
|
| Posted: Wed Jun 25, 2008 11:30 am Post subject: |
|
|
Actually there are a lot more rules for both INPUT and OUTPUT, but since they are setup exactly like the others I thought it would be enough to show only one generic rule per type and the lines I thought might cause my problems. ("# ..." should have indicated there's more in my original file; I maybe should have explained that)
I assure you everything works fine unless I do what I wrote above. 
_________________
nohup nice -n -20 cp /dev/urandom /dev/null & |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
